Serverless Security Workshop

© 2019, Amazon Web Services, Inc. or its affiliates. All
rights reserved. Serverless Security Workshop Danilo Poccia, Principal Evangelist @danilop James Beswick, Senior Developer Advocate @jbesw Heitor Lessa, Specialist Solutions Architect @heitor_lessa Simon Thulbourn, Specialist Solutions Architect @sthulb S e r v e r l e s s D a y s L o n d o n 2 0 1 9 . 0 7 . 1 2

rights reserved. Agenda • Serverless security – is it different? • Security domains for serverless applications • Workshop scenario • How to secure serverless applications • Hands-on

rights reserved. Sample architecture for serverless API endpoint Amazon API Gateway AWS Lambda Amazon DynamoDB Amazon RDS Users Amazon Cognito

rights reserved. Sample architecture for serverless web app Amazon API Gateway AWS Lambda Amazon DynamoDB Amazon RDS Users Amazon CloudFront Amazon S3 Amazon Cognito

rights reserved. How is serverless security different? Different: • Reduced scope • Ephemeral environment • More events can trigger your AWS Lambda • Old techniques might not be relevant But still… • Need to secure databases, S3 buckets, etc. • Need to secure your code. • Need to use minimum privilege access. • Need to monitor usage and data flow. https://www.protego.io/ebook/

rights reserved.

rights reserved. Domains of security for (serverless) applications Infrastructure Data Code Identity & Access Logging & Monitoring

rights reserved. OWASP 2017- Top 10 Web Application Security Risks Rank Security risks 1 Injection 2 Broken Authentication 3 Sensitive Data Exposure 4 XML External Entities (XXE) 5 Broken Access Control 6 Security Misconfiguration 7 Cross-Site Scripting (XSS) 8 Insecure Deserialization 9 Using Components with Known Vulnerabilities 10 Insufficient Logging & Monitoring https://www.owasp.org • Exploitability • Prevalence • Detectability • Technical impact

rights reserved. OWASP Top 10 mapped to security domains Infrastructure Data Code Identity & Access Logging & Monitoring • Broken Authentication(#2) • Broken Access Control (#5) • Injection (#1) • XXE (#4) • XSS (#7) • Insecure Deserialization (#8) • Using Components with Known Vulnerabilities (#9) • Sensitive Data Exposure (#3) • Using Components with Known Vulnerabilities (#9) • Security Misconfiguration (#6) • Insufficient Logging & Monitoring (#10)

rights reserved.

rights reserved. Scenario: Wild Rydes (www.wildrydes.com)

rights reserved. 3rd party functionality– unicorn customization Visit beautiful Unicornpolis! Sock image Credit: Freepik from www.flaticon.com

rights reserved. List customization options and prices: GET /capes GET /glasses GET /horns GET /socks 3rd party API: Unicorn customization Image Credit: Smashicons, Freepik, from www.flaticon.com johnny_automatic from www.openclipart.org

rights reserved. 3rd party API: Unicorn customization Create and manage customizations POST /customizations GET /customizations GET /customizations/{id} DELETE /customizations/{id}

rights reserved. Admin API: register 3rd party partners Register new partners POST /partners

rights reserved. Workshop architecture – starting point Amazon API Gateway AWS Lambda Amazon RDS 3rd party Not secure!

rights reserved. Your task: secure the application against attackers! Image Credit: pongsakornred, Freepik from www.flaticon.com

rights reserved. Workshop Link to the workshop: https://amzn.to/serverless-security Module 0 mandatory Module 1-8: Pick your own battle! Infrastructure Data Code Identity & Access Logging & Monitoring Module 1: auth Module 2: Secrects Module 8: X-Ray Module 4: Encryption in transit Module 5: usage plans Module 6: WAF Module 3: input validation Module 7: dependency vulnerability

rights reserved.

rights reserved. Identity and access management for serverless applications • Authenticate and authorize end- users/clients • Access between backend services (e.g. AWS Lambda to DynamoDB tables) Infrastructure Data Code Identity & Access Logging & Monitoring

rights reserved. Identity and access management for serverless applications Access control between services Authenticate & authorize end-users/clients

rights reserved. Workshop module 1: OAuth Client Credentials Flow Client Authorization server Resource server Client credentials (ClientID + Client Secret) Access token Call protected resource with access token protected resource response Resource server Authorization server Client

rights reserved. Workshop module 1: add authentication Amazon API Gateway AWS Lambda Amazon RDS (Aurora MySQL) 3rd party Amazon Cognito Client authentication AWS Lambda (Custom authorizer) Verify access token and scope Amazon DynamoDB (Mapping ClientID -> backend companyID) Download public key to validate token OWASP #2: Broken Authentication OWASP #5: Broken Access Control

rights reserved. Workshop module 1: add authentication Amazon Cognito Admin App client: • Client ID: ZZZ • Client Secret Company bar app client: • Client ID: YYY • Client Secret Company foo app client: • Client ID: XXX • Client Secret Amazon Aurora Company table ID Name 1 Foo 2 Bar … Mapping table ClientID BackendID XXX 1 YYY 2 Amazon DynamoDB

rights reserved. Securing code for serverless applications • Input validation • Dependency vulnerabilities • Secrets in source code Infrastructure Data Code Identity & Access Logging & Monitoring

rights reserved. Securing code for serverless applications Input validation Storing secrets • AWS WAF: • XSS Rules • SQL injection rules • AWS Secrets Manager • Systems Manager Dependency vulnerabilities

rights reserved. Module 2: Secret Manager Amazon API Gateway AWS Lambda Amazon RDS (Aurora MySQL) 3rd party AWS Secrets Manager CloudFormation Secret Rotation OWASP #3: Sensitive Data Exposure

rights reserved. Module 3: Input Validation Amazon API Gateway 3rd party AWS Lambda { ”unexpectedAttr":"1", } Request body { ”name":”AwesomeUnicorn", "imageUrl": "http://this.jpg", "sock": "1", "horn": "1", "glasses": "1", "cape": "1" } /customizations POST • OWASP #1: Injection • OWASP #8: Insecure Deserialization

rights reserved. Module 7: Dependency Vulnerability • Check for vulnerabilities on our dependencies • OWASP Dependency Check: https://www.owasp.org/index.php/O WASP_Dependency_Check • Third party tools • Remove unused dependencies • depcheck: https://www.npmjs.com/package/de pcheck http://npm.anvaka.com/#/view/2d/request • OWASP #9: Using Components with Known Vulnerabilities

rights reserved. Securing data for serverless applications Your responsibility: • Data Classification and Data Flow • Tokenization • Encryption at rest • Encryption in transit • Data Backup/Replication/Recovery Infrastructure Data Code Identity & Access Logging & Monitoring Managed backups/ encryption

rights reserved. Securing data for serverless applications Data Classification Data backup/Replication Data Encryption at rest Data Flow Data Encryption in transit Data Tokenization

rights reserved. Module 4: encryption in transit Amazon API Gateway AWS Lambda Amazon RDS (Aurora MySQL) 3rd party { host: ”database.host.com", user: "admin", password: ”xxxxxxx", database: "unicorn_customization", ssl: "Amazon RDS" } { host: ”database.host.com", user: "admin", password: ”xxxxxxxxx", database: "unicorn_customization" } OWASP #3: Sensitive Data Exposure

rights reserved. Securing infrastructure for serverless applications Your responsibility: • DDOS protection • Throttling/ Rate limiting • Network boundaries Infrastructure Data Code Identity & Access Logging & Monitoring

rights reserved. Securing infrastructure for serverless applications DDOS protection + Throttling/ Rate limiting Network boundaries • AWS WAF: • Geoblocking • IP reputation lists • Rate-based rules • Size constraint

rights reserved. Module 5: Usage Plans Amazon API Gateway AWS Lambda Amazon RDS 3rd party AWS Lambda (Custom authorizer) + API key + API key

rights reserved. Module 6: WAF AWS Lambda 3rd party Amazon API Gateway AWS WAF Amazon RDS

rights reserved. Logging & monitoring for serverless applications • Application logs • Access logs • Control plane audit logs • Metrics • Alarms • Compliance validation Infrastructure Data Code Identity & Access Logging & Monitoring

rights reserved. Logging & monitoring for serverless applications Logging and tracing Metrics Compliance validation

rights reserved. Module 8: X-Ray OWASP #10: Insufficient Logging & Monitoring

rights reserved. Workshop Link to the workshop: https://amzn.to/serverless-security Module 0 mandatory Module 1-8: Pick your own battle! Infrastructure Data Code Identity & Access Logging & Monitoring Module 1: auth Module 2: Secrects Module 8: X-Ray Module 4: Encryption in transit Module 5: usage plans Module 6: WAF Module 3: input validation Module 7: dependency vulnerability

Serverless Security Workshop

Serverless Security Workshop

More Decks by Danilo Poccia

Other Decks in Programming

Featured

Transcript